Class SessionCsrfProtectionMiddleware

Provides CSRF protection via session based tokens.

This middleware adds a CSRF token to the session. Each request must contain a token in request data, or the X-CSRF-Token header on each PATCH, POST, PUT, or DELETE request. This follows a 'synchronizer token' pattern.

If the request data is missing or does not match the session data, an InvalidCsrfTokenException will be raised.

This middleware integrates with the FormHelper automatically and when used together your forms will have CSRF tokens automatically added when $this->Form->create(...) is used in a view.

If you use this middleware do not also use CsrfProtectionMiddleware.

Namespace: Cake\Http\Middleware
See: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern

Constants

int

TOKEN_VALUE_LENGTH
```
32
```

Property Summary

$_config protected

array<string, mixed>

Config for the CSRF handling.
$skipCheckCallback protected

callable|null

Callback for deciding whether to skip the token check for particular request.

Method Summary

__construct() public

Constructor
createToken() public

Create a new token to be used for CSRF protection
process() public

Checks and sets the CSRF token depending on the HTTP verb.
saltToken() public

Apply entropy to a CSRF token
skipCheckCallback() public

Set callback for allowing to skip token check for particular request.
unsaltToken() protected

Remove the salt from a CSRF token.
unsetTokenField() protected

Remove CSRF protection token from request data.
validateToken() protected

Validate the request data against the cookie token.

Method Detail

__construct() public

__construct(array<string, mixed> $config = [])

Constructor

Parameters

array<string, mixed> $config optional: Config options. See $_config for valid keys.

createToken() public

createToken(): string

Create a new token to be used for CSRF protection

This token is a simple unique random value as the compare value is stored in the session where it cannot be tampered with.

Returns

string

process() public

process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Checks and sets the CSRF token depending on the HTTP verb.

Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.

Parameters

ServerRequestInterface $request: The request.
RequestHandlerInterface $handler: The request handler.

Returns

Psr\Http\Message\ResponseInterface

saltToken() public

saltToken(string $token): string

Apply entropy to a CSRF token

To avoid BREACH apply a random salt value to a token When the token is compared to the session the token needs to be unsalted.

Parameters

string $token: The token to salt.

Returns

string

skipCheckCallback() public

skipCheckCallback(callable $callback): $this

Set callback for allowing to skip token check for particular request.

The callback will receive request instance as argument and must return true if you want to skip token check for the current request.

Parameters

callable $callback: A callable.

Returns

$this

unsaltToken() protected

unsaltToken(string $token): string

Remove the salt from a CSRF token.

If the token is not TOKEN_VALUE_LENGTH * 2 it is an old unsalted value that is supported for backwards compatibility.

Parameters

string $token: The token that could be salty.

Returns

string

unsetTokenField() protected

unsetTokenField(Psr\Http\Message\ServerRequestInterface $request): Psr\Http\Message\ServerRequestInterface

Remove CSRF protection token from request data.

This ensures that the token does not cause failures during form tampering protection.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request object.

Returns

Psr\Http\Message\ServerRequestInterface

validateToken() protected

validateToken(Psr\Http\Message\ServerRequestInterface $request, Cake\Http\Session $session): void

Validate the request data against the cookie token.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request to validate against.
Cake\Http\Session $session: The session instance.

Returns

void

Throws

Cake\Http\Exception\InvalidCsrfTokenException
When the CSRF token is invalid or missing.

Property Detail

`$_config` protected

Config for the CSRF handling.

key The session key to use. Defaults to csrfToken
- field The form field to check. Changing this will also require configuring FormHelper.

Type

array<string, mixed>

`$skipCheckCallback` protected

Callback for deciding whether to skip the token check for particular request.

CSRF protection token check will be skipped if the callback returns true.

Type

callable|null

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Http.Middleware.SessionCsrfProtectionMiddleware.html

Class SessionCsrfProtectionMiddleware

Constants

Property Summary

Method Summary

__construct() public

createToken() public

process() public

saltToken() public

skipCheckCallback() public

unsaltToken() protected

unsetTokenField() protected

validateToken() protected

Method Detail

__construct() public

Parameters

createToken() public

Returns

process() public

Parameters

Returns

saltToken() public

Parameters

Returns

skipCheckCallback() public

Parameters

Returns

unsaltToken() protected

Parameters

Returns

unsetTokenField() protected

Parameters

Returns

validateToken() protected

Parameters

Returns

Throws

Property Detail

$_config protected

Type

$skipCheckCallback protected

Type

`$_config` protected

`$skipCheckCallback` protected